This document summarizes a webinar about multi-factor authentication (MFA) versus two-factor authentication. It discusses how true MFA uses multiple authentication factors and considers the user's device context and risk level to determine the appropriate authentication method. Regulations like PSD2 are driving increased use of MFA. Engaging cross-functional teams from fraud, security, and user experience is important for implementing effective and user-friendly authentication.
9. 9
A way to resolve inherent issues with
passwords
Adds an additional, out-of-band
authentication that comes through
security dongles or the user’s phone
Ostensibly, this provides additional
assurance that the user’s account
hasn’t been compromised or is subject
to a man-in-the-middle attack
AUTHENTICATING WITH TWO FACTORS
B E T T E R T H A N O N E , B U T S T I L L … .
10. 10
If the 2nd factor is delivered through
SS7 protocol it’s susceptible to intercept
SMS messaging as a way to transfer 2-
factor messages has been removed
from NIST security guidance (see 800-63-3)
Weaknesses have been uncovered in
almost every form of 2FA, though push
notification to a mobile app seems
most secure
AUTHENTICATING WITH TWO FACTORS
B E T T E R T H A N O N E , B U T S T I L L … .
13. 13
IT’S ALL ABOUT THE USER’S DEVICE
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 1 ACCESS
14. 14
RISK INSIGHT FROM THE USER’S DEVICE
+1000
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 1 ACCESS
+10
SCORE
LOW RISK
=
Frictionless
Consumer
Experience
+10SCORE
15. 15
CLEARKEY
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 2 ACCESS
+10
SCORE
MEDIUM
RISK=
Moderate
Friction
USERNAME
&
PASSWORD
0SCORE
+200
16. 16
CLEARKEY
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 3 ACCESS
+10
SCORE
HIGH RISK=
PIN +
Biometric
Factors
-10SCORE
0
17. 17
CLEARKEY
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 3 ACCESS
+10
SCORE
HIGH RISK=
Step-Up
Authentication
-10SCORE
Watch Lists
-1000
Watch ListsWatch ListsWatch Lists
Call
Customer
Service
19. WHO ASKS FOR MFA?
WHAT REGULATIONS AND STANDARDS ARE IN PLAY?
20. 20
13 January 2018
PSD2 goes into effect for member states
November-December 2018
The RTS (Regulatory Technical Standards) enter into force
Exceptions are managed
Systems are auditable
SIMPLE DEADLINES
21. 21
TWO THINGS TO NOTE
This is about
“out-of-band”
authentication
Basically, use
two different
channels and
two different
methods to
authenticate
and authorize
22. 22
TWO THINGS TO NOTE
Smith Fashions
wants to have
€250. Is this
OK?
What for?
Looks like you
ordered a new
coat at
breakfast.
That’s right.
Go ahead.
23. 23
SCA REQUIRES AUTHORIZATION
D I F F E R E N T F R O M A U T H E N T I C A T I O N
• Identity assurance
• Are you really you?
• How have you proven you
are you?
AUTHENTICATION
• OK, you’re you!
• But are you authorized to do
what you’re asking to do?
• Do you approve this?
AUTHORIZATION
25. 25
WHO ELSE ASKS FOR BETTER
AUTHENTICATION?
Meet the user
experience team, aka:
• Digital experience
• Digital transformation
• Customer experience
• Millennials who know
what “good” user
experience looks like,
feels like, and measures
Poor or complex
authentication is the
Number One
complaint of users
across all verticals:
• Finance
• E-Commerce
• Social
• Insurance
27. 27FRAUD TEAM IAM & INFOSEC TEAM USER EXPERIENCE TEAM
ENGAGE YOUR CROSS -FUNCTIONAL TEAMS
28. 28
ENGAGE YOUR CROSS -FUNCTIONAL TEAMS
The Fraud Team has
irreplaceable insight but
is often seen as tactical
The fraud team also has
something most teams
don’t: actual cost metrics
Create an alliance!
Learn the language of
infosec experts
FRAUD TEAM
Nobody wants to be the
“Director of No”
Look to your left and right
and reach out
Become customer-centric
Consider ideas outside of
the infosec sphere
Understand what Fraud is
IAM & INFOSEC TEAM
Be a Change Agent – all
the power is in your
hands
Teach the other teams
your language and your
metrics
Enlist aid, ask for help
Be the expert, but get
everyone else to care
about the user journey
USER EXPERIENCE TEAM